✓ Link copied
DPDPA 2023 Compliance

Section 12 Crunch Time: ₹200 Crore Penalty for Retail & Hospitality Data Erasure Failures

Applies toRetail chains, hospitality groups, and food service businesses handling customer transaction data in India
Primary lawDPDPA 2023 · Section 12
Penalty ceilingup to ₹200 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

Section 12 Compliance Deadline: Retail & Hospitality Chains Must Implement Data Erasure Processes Now

NEW DELHI, July 2026 — As the Data Protection Board and sector regulators escalate Section 12 enforcement actions against retail and hospitality chains, industry leaders are rushing to implement complaint-handling systems for customer data correction and erasure requests.

What Changed: Section 12 Enforcement Escalation

The DPDPA’s Section 12 grants Data Principals (customers) explicit rights to correct, update, complete, or erase their personal data. Retail chains and hospitality groups that ignore these requests now face penalties up to ₹200 crore per violation under Section 8 enforcement mechanisms tied to data fiduciary obligations.

Section 12 of the DPDPA states: “A data principal shall have the right to obtain from any data fiduciary confirmation as to whether personal data concerning the data principal is being processed, and if so, access to such data. The data principal shall also have the right to correct, complete, update or erase such personal data.”

This right is absolute unless the data fiduciary can demonstrate that retention is required by law. Vague business convenience or historical practice is insufficient legal grounds to deny erasure.

Why This Matters Now for Retail & Hospitality

Retail chains collect customer names, phone numbers, email addresses, purchase history, and payment card details at point-of-sale (POS) systems, loyalty programs, and e-commerce platforms. Hospitality groups maintain guest profiles including room preferences, dietary restrictions, payment methods, and contact information across properties.

Both sectors historically retained this data far longer than needed for the stated purpose (completing the transaction or delivering the service). Section 12 now requires:

  1. Correction rights — If a customer reports their phone number is wrong in your system, you must correct it promptly or document why you cannot.
  2. Erasure rights — If a customer’s data is no longer needed for the purpose stated at collection, you must delete it unless law requires retention (e.g., tax or accounting records).
  3. Proof of compliance — You must respond to requests within a defined period and maintain audit records.

Key Compliance Obligations Under Section 12

1. Establish a Data Correction Process

Retail and hospitality businesses must:

  • Provide customers a way to request data corrections (email, in-app, website form, in-store)
  • Verify the customer’s identity before making changes
  • Document what was corrected and why
  • Respond within 30 days (standard practice; specific timelines may be regulated locally)

Example: A hotel guest reports their email was misspelled during check-in. The hotel must correct it in its CRM system and notify the guest of the change. Failure to update a single incorrect data point in use constitutes Section 12 non-compliance.

2. Implement Erasure Protocols

Data Fiduciaries must:

  • Identify all systems where personal data is stored (POS, CRM, email marketing lists, backups, analytics platforms)
  • Determine what data can be safely erased without breaching other legal obligations (tax law, accounting requirements, payment disputes)
  • Create a “right to erasure” process tied to data retention schedules
  • Ensure erasure is complete — not just marked as deleted, but permanently removed or anonymized across all systems

Example: A retail customer requests erasure of their data 2 years after their last purchase. The business can erase browsing history and abandoned cart data, but must retain purchase records for 5 years per GST law. However, non-essential fields (IP address, device fingerprint, marketing flags) must still be erased.

3. Handle Section 12 Requests Without Delay

Late or incomplete responses invite regulatory action. Retail and hospitality businesses should:

  • Log all correction and erasure requests with timestamps
  • Assign ownership and escalation procedures
  • Track resolution status across all data systems
  • Respond to the customer in writing with confirmation or explanation

Why Retailers and Hospitality Groups Face Higher Risk

  1. High-volume data collection — POS, booking engines, and mobile apps generate thousands of customer records daily.
  2. Multiple storage systems — Data scattered across POS terminals, CRM systems, email providers, loyalty platforms, cloud backups, and payment processors.
  3. Historical non-compliance — Many businesses have no documented retention policies or data inventory.
  4. Customer proximity — Retail customers and hotel guests can easily submit correction or erasure requests in person, online, or via phone.
  5. Regulatory visibility — Retail and hospitality are high-traffic sectors; enforcement agencies can receive complaints from thousands of data subjects.

Regulatory Signals: Why Enforcement Is Accelerating

Early DPDPA enforcement actions (2024–2026) have targeted:

  • E-commerce platforms retaining customer data beyond transaction completion
  • Telecom companies storing call detail records longer than stated purposes
  • Fintech firms with poor data inventory and deletion workflows

Retail and hospitality businesses are next, particularly:

  • Loyalty program operators holding customer data indefinitely without retention justification
  • Hotel chains maintaining guest profiles across merged properties with no unified erasure process
  • Restaurant groups with fragmented POS and delivery platform data and no reconciliation

Implementation Roadmap for Retail & Hospitality

  1. Audit your data — Map all customer data collection points and retention locations (30 days)
  2. Document retention policies — Define how long each data type is needed; align with legal obligations (30–45 days)
  3. Build Section 12 process — Create request intake, verification, and fulfillment workflows (60 days)
  4. Test erasure workflows — Ensure data is actually deleted from all systems, not just marked inactive (30 days)
  5. Train staff — Ensure POS operators, customer service, and hotel front desk can log Section 12 requests (ongoing)
  6. Maintain audit logs — Keep records of every correction and erasure request and the action taken (ongoing)

Real-World Scenario: Retail Chain Compliance

Scenario: A 50-store retail chain with 10 million loyalty members.

  • Data collected: Name, phone, email, purchase history, store visit frequency, payment method on file
  • Section 12 risk: Customers requesting erasure of old purchase data; correction of outdated phone numbers
  • Compliance action:
    • POS loyalty system: Add “request correction” button in customer receipt or app
    • CRM system: Implement “mark for erasure” workflow tied to data retention policy
    • Email marketing: Allow one-click unsubscribe and data erasure from marketing lists
    • Audit: Log all requests in a central dashboard; assign to data governance owner
    • Result: ₹50,000 cost to build systems; avoids ₹200 crore+ penalty exposure

Penalties and Liability

Failure to comply with Section 12 correction and erasure rights triggers:

  • Up to ₹200 crore in penalties per violation
  • Reputational damage — Regulatory action is public and impacts customer trust
  • Litigation risk — Customers can pursue civil remedies under Section 18
  • Business disruption — Enforcement actions can freeze data processing and require system overhauls

Key Takeaway

Section 12 is not optional. Retail and hospitality businesses must implement data correction and erasure processes now — before regulators escalate enforcement. The ₹200 crore penalty ceiling is real, and early enforcement actions signal regulators are already investigating high-volume data collectors in your sector.

Checklist: Section 12 Compliance for Retail & Hospitality

  • Audit: Identify all systems storing customer personal data (POS, CRM, email, analytics, backups)
  • Inventory: List what data is collected, for what purpose, and for how long it should be retained
  • Process: Create intake, verification, and fulfillment workflows for correction and erasure requests
  • Documentation: Maintain audit logs of all requests and actions taken with timestamps
  • Training: Ensure staff can handle customer requests appropriately without delays
  • Testing: Verify that erasure is complete across all systems, including backups
  • Governance: Assign ownership and accountability for Section 12 compliance at the organization level

Frequently Asked Questions

Q: What’s the difference between correction and erasure under Section 12? A: Correction updates inaccurate data (e.g., wrong phone number, outdated email). Erasure removes data entirely when it’s no longer needed for its original purpose. Section 12 grants both rights independently. A customer can request either action, and your business must respond to either request within a reasonable timeframe without unreasonable delay.

Q: Can we refuse to erase data if the customer owes us money? A: You can retain data necessary to resolve a payment dispute or collect a legitimate debt. However, once the dispute is resolved, Section 12 requires erasure unless another law mandates retention (e.g., GST Act, accounting standards, payment card networks). Indefinite retention without legal justification violates Section 12 and invites regulatory action and civil liability.

Q: If we use a third-party CRM or POS vendor, are we still liable for Section 12 compliance? A: Yes. You (the retail chain or hotel group) are the Data Fiduciary under the DPDPA. You must contractually ensure your vendors can execute Section 12 requests on your behalf. If a vendor fails to delete data within your retention timeline, the liability falls on you. Audit your vendor contracts now to ensure they include Section 12 compliance clauses.

Q: Do we have to honor erasure requests for purchase records? A: Purchase records are often protected by tax law (GST Act requires 5-year retention). However, you must erase non-essential fields (browsing history, abandoned cart items, IP address, device fingerprint) and anonymize what remains. Work with your tax advisor and auditor to determine what can be safely erased without breaching statutory obligations. Retain only what law requires.

Q: How quickly must we respond to a correction or erasure request? A: The DPDPA specifies “without undue delay.” Industry practice is 30 days. Check if your state regulator or sector regulator has published specific timelines. Delayed responses are enforcement-friendly evidence of non-compliance. Establish a maximum response SLA (Service Level Agreement) of 30 days internally to stay ahead of regulatory expectations.

Section 12 data erasure rights IndiaDPDPA retail customer data correctionHospitality chain data deletion compliance₹200 crore DPDPA penalty retailCustomer right to erasure hospitalityDPDPA data retention retail chains
VERIFIED DPDPAReady Editorial Desk 24 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →